CCM-11171 Implement mTLS on proxy

Author: nhsd-david-wass

.github/actions/build-proxies/action.yml

@@ -19,6 +19,16 @@ runs:
       run: npm ci
       shell: bash
 
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: arn:aws:iam::820178564574:role/nhs-main-acct-supplier-api-github-deploy
+        role-session-name: ${{ github.run_id }}
+        aws-region: eu-west-2
+        role-skip-session-tagging: true
+
+
+
     - name: Setup Proxy Name and target
       shell: bash
       run: |
@@ -28,12 +38,27 @@ runs:
           echo "INSTANCE=$PROXYGEN_API_NAME" >> $GITHUB_ENV
           echo "TARGET=https://suppliers.dev.nhsnotify.national.nhs.uk" >> $GITHUB_ENV
           echo "SANDBOX_TAG=latest" >> $GITHUB_ENV
+          echo "MTLS_CRT=/nhs/ssl/ca-crt" >> $GITHUB_ENV
+          echo "MTLS_KEY=/nhs/ssl/ca-key" >> $GITHUB_ENV
+          echo "MTLS_NAME=notify-supplier-mtls" >> $GITHUB_ENV
         else
           echo "TARGET=https://pr$PR_NUMBER.suppliers.dev.nhsnotify.national.nhs.uk" >> $GITHUB_ENV
           echo "INSTANCE=$PROXYGEN_API_NAME-PR-$PR_NUMBER" >> $GITHUB_ENV
           echo "SANDBOX_TAG=pr$PR_NUMBER" >> $GITHUB_ENV
+          echo "MTLS_CRT=/nhs/pr$PR_NUMBER/ssl/ca-crt" >> $GITHUB_ENV
+          echo "MTLS_KEY=/nhs/pr$PR_NUMBER/ssl/ca-key" >> $GITHUB_ENV
+          echo "MTLS_NAME=notify-supplier-mtls-pr$PR_NUMBER" >> $GITHUB_ENV
+
         fi
 
+    - name: Download MTLS Credentials
+      shell: bash
+      run: |
+        mkdir -p ${HOME}/.proxygen
+        aws ssm get-parameter --name $MTLS_CRT --with-decription --query "Parameter.Value" --output text >> ${HOME}/.proxygen/mtls.crt
+        aws ssm get-parameter --name $MTLS_KEY --with-decription --query "Parameter.Value" --output text >> ${HOME}/.proxygen/mtls.key
+
+
 
     - name: Install Proxygen client
       shell: bash
@@ -50,6 +75,11 @@ runs:
         envsubst < ./.github/proxygen-settings.yaml > ${HOME}/.proxygen/settings.yaml
         envsubst < ./.github/proxygen-settings.yaml | cat
 
+    - name: Register MTLS cert with proxygen
+      shell: bash
+      run: |
+        proxygen secret put --mtls-cert ${HOME}/.proxygen/mtls.crt --mtls-key ${HOME}/.proxygen/mtls.key internal-dev $MTLS_NAME
+
     - name: Build internal dev oas
       working-directory: .
       shell: bash
@@ -61,11 +91,11 @@ runs:
           make build-json-oas-spec APIM_ENV=dev-pr
         fi
 
-    - name: Set target
+    - name: Set target and cert
       shell: bash
       run: |
         jq --arg newurl "$TARGET" '.["x-nhsd-apim"].target.url = $newurl' build/notify-supplier.json > build/notify-supplier_target.json && mv build/notify-supplier_target.json build/notify-supplier.json
-
+        jq --arg newmtls "$MTLS_NAME" '.["x-nhsd-apim"].target.security.secret = $newmtls' > build/notify-supplier_target.json && mv build/notify-supplier_target.json build/notify-supplier.json
 
     - name: Deploy to Internal Dev
       shell: bash

.github/workflows/stage-3-build.yaml

@@ -36,6 +36,9 @@ on:
         required: false
         type: string
 
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read  # This is required for actions/checkout
 jobs:
   artefact-jekyll-docs:
     name: "Build Docs"

specification/api/components/x-nhsd-apim/target-dev-pr.yml

@@ -2,6 +2,5 @@ type: external
 healthcheck: /_status
 url: https://suppliers.dev.nhsnotify.national.nhs.uk
 security:
-  type: apikey
-  header: Authorization
-  secret: nhs-notify-supplier-key
+  type: mtls
+  secret: nhs-notify-supplier-mtls

specification/api/components/x-nhsd-apim/target-dev.yml

@@ -2,6 +2,5 @@ type: external
 healthcheck: /_status
 url: https://suppliers.dev.nhsnotify.national.nhs.uk
 security:
-  type: apikey
-  header: nhsd-apim-apikey
-  secret: nhs-notify-supplier-key
+  type: mtls
+  secret: nhs-notify-supplier-mtls